What are the Adyen security foundations?

Security foundations at Adyen

As a financial service provider, securing data is a top priority at Adyen and is  built into every part of our business. In order to ensure security is at the forefront of everything we do, we’ve created the Adyen Security Foundations. The foundations include important principles to keep our platform and processes secure.

1. Everybody does security

At Adyen, everyone has a role to play when it comes to security. Security is a given part of our day-to-day work and it’s never another team’s problem. Teams own their own security practices, and we collectively keep our practices up to date with our growing business. 

2. Defense in depth 

To keep data and systems secure, we layer protection and prevent single points of failure.W e own and manage everything about our products and services, from beginning to the end. This gives us full control over everything we do and helps us secure our platform and data. 
Every piece of code that makes our platform run was written by one of our engineers. We don't let external parties, including consultants, access our platform, code, or data. 

3. Independent, available, and redundant infrastructure

Uptime is critical to our customers’ success. By not relying on third-parties, careful monitoring, and building in redundancy and latency to everything we ship we bring minimal risk to the businesses we work with. 

4. Avoiding insecure components

At Adyen, we minimize exposure to risks that are inherent to the usage of specific technologies, vendors, and software components. Not all technologies are designed and built with security in mind. We try to avoid components that have shown recurring signs of bad security practices, have repeatedly been the cause of breaches, or are widely considered dangerous through rigorous screening.

5. Zero-trust network design

Our network has been segmented on multiple layers following the zero-trust principle. We use a tiered approach of physically isolated networks that are each assigned to a specific purpose, with our payment platform being the highest security tier. Every component in our network is treated as untrusted by default, so components can only communicate with systems they are explicitly allowed to communicate with, and only use services they are explicitly allowed to use.

6. Secure by default

We deploy, configure, and harden every core and supporting component in our platform infrastructure with automation. By doing so, we ensure that each server, network component, and other hardware operates in line with security best practices and benchmarks. We use a similar approach to protect our employees’ laptops, which are managed and hardened centrally by our infrastructure engineers.

7. Secure engineering

At Adyen, security is embedded in every phase of our product lifecycle. This allows us to catch flaws at an early stage and substantially reduce risk, workload, and the need for excessive security engineering activities.